Open Firmware is hardware independent firmware (computer software that loads the operating system). Open Firmware is present on PPC (PowerPC) Macs. Open Firmware does allow the user to set a password to keep other users from changing the boot drive or partition. This can be an issue if the investigator wants to boot from a different drive or device.
The easiest way around the Open Firmware password is to simply remove the drive from the suspect machine. Once removed you can connect the drive to a hardware write blocker and acquire a disk image using MacForensicsLab. This could be more problematic with Mac laptops as many require quite a lot of disassembly to get to the hard drive.
If you cannot remove the drive from the Mac or need to use the suspect machine to image the drive you can reset the Open Firmware password using the following steps.
- Shut down the Mac and disconnect the power from it.
- Open the machine.
- Change the RAM configuration. Add or remove RAM so the amount is altered.
- Close the machine and plug it back in.
- Start up the machine and reset the PRAM by holding down the following keys while it boots: Command+Option+P+R You must hold these keys until you hear 3 chimes.
- Once the machine starts you can then shut it down, reinstall the RAM, and boot from the MacForensicsLab DVD to start your investigation.